I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

like a strange statement, since I'm sure everyone reading this has been using Ethernet for years, but seriously, how many network engineers do you know who could explain Manchester bit encoding or how Fast Link Pulses work? Not very many, of course, and why should they? After all, Ethernet is one of those protocols that "just works." Network administrators don't understand it for the very simple reason that they never have to troubleshoot it.

VLANs are pretty much the same way. Sure, the configuration of a few more advanced topics like VTP and VLAN pruning can give you a mental workout, and of course, nobody likes Spanning-Tree Protocol, but really, when was the last time you really needed to know how your switches implemented VLANs? For the most part, you define a VLAN, and assign ports to it, and define trunk ports and configure which VLANs can cross it... and it just works... simple as that.

But it's precisely this simplicity that can lull you into leaving open a raft of security vulnerabilities.

So as I was checking a few quick facts for this tip, I ran across an @Stake white paper so concise and illuminating, despite being 2 years old, that I decided to just link you to it and offer a quick summary.

The reason I like this article is because it explains at a high level, several ways your network can be attacked at Layer 2. Many of these aren't nearly as intuitively obvious as the higher-level attacks we witness daily, so many administrators think that it's impossible to attack VLANs, which is of course, absurd.

So here are a few key points to remember when configuring your network:

VLAN 1 (on Catalyst switches) is the default for both ports and the "Native" VLAN on 802.1Q trunks, which is precisely why you should NEVER use it.

Don't allow dynamic protocols to talk to untrusted devices. Many administrators don't realize there are a lot of these operating around Layer 2, such as VTP, PAgP, CDP, DTP, UDLD and of course STP.

If at all possible, authenticate all hosts and/or limit their connectivity. Port Security, 802.1x and Dynamic VLANs are three methods mentioned in this article you can use.

Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years experience in the networking industry, and co-author of several books on networking, most recently, CCSPTM: Secure PIX and Secure VPN Study Guide published by Sybex.

Start the conversation

0 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.